CVE-2022-50944

HIGH 8.8

Aero CMS 0.0.1 PHP Code Injection via posts.php

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

14th

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.

CWE	CWE-94
Vendor	megatkc
Product	aero cms
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for megatkc aero cms

Be the first to know when new high vulnerabilities affecting megatkc aero cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

MegaTKC / Aero CMS

0.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51085 github.com: https://github.com/MegaTKC/AeroCMS vulncheck.com: https://www.vulncheck.com/advisories/aero-cms-php-code-injection-via-posts-php

Credits

Hubert Wojciechowski